isrstealer | ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
Size

962KB
MD5

2626b7755d40d743f55c7580a1beb8b0
SHA1

e3771299ec9da3c6ed2ee23ebf509e08fbd1237f
SHA256

ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0
SHA512

1a5df2f2c182601716575f12ea0bc6a677500e9c8a962b442bd1d31c35a6a287c790061b2071ffac31ebf94a138b0e3d6c8ef53b0cd424faa5a7e63259732e05
SSDEEP

24576:Jt24wfvf7a8DPw67oc1xuzoVF5r5QAwFv0XcI:1ef7aD6Ffuw7B2fI

Score

10^/10

isrstealer collection defense_evasion discovery persistence stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 8 IoCs

resource	yara_rule
behavioral2/memory/3568-19-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3568-22-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3568-40-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3568-41-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3892-47-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/4728-60-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/2852-82-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3624-92-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Isrstealer family
isrstealer

Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com
Set value (int)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	java.com

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2908-39-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4936-57-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/4324-88-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2908-39-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4936-57-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/4324-88-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	java.com
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

pid	Process
3764	java.com
2964	java.com
952	java.com
1488	java.com
4488	java.com
3480	java.com
5092	java.com

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com
Set value (str)	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2j3ttgc8z87nhh = "C:\\Users\\Admin\\2j3ttgc8z87nhh\\92382.vbs"	java.com

Checks whether UAC is enabled 1 TTPs 7 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	java.com

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 3764 set thread context of 3568	3764	java.com	88
PID 3568 set thread context of 2124	3568	RegSvcs.exe	89
PID 3568 set thread context of 2908	3568	RegSvcs.exe	90
PID 2964 set thread context of 3892	2964	java.com	93
PID 3892 set thread context of 1824	3892	RegSvcs.exe	94
PID 3892 set thread context of 4936	3892	RegSvcs.exe	97
PID 952 set thread context of 4728	952	java.com	101
PID 4728 set thread context of 4280	4728	RegSvcs.exe	102
PID 4728 set thread context of 544	4728	RegSvcs.exe	103
PID 1488 set thread context of 4188	1488	java.com	109
PID 4188 set thread context of 4856	4188	RegSvcs.exe	110
PID 4188 set thread context of 4584	4188	RegSvcs.exe	111
PID 4488 set thread context of 2852	4488	java.com	116
PID 2852 set thread context of 3152	2852	RegSvcs.exe	117
PID 2852 set thread context of 4324	2852	RegSvcs.exe	120
PID 3480 set thread context of 3624	3480	java.com	123
PID 3624 set thread context of 3024	3624	RegSvcs.exe	124
PID 3624 set thread context of 2568	3624	RegSvcs.exe	125
PID 5092 set thread context of 220	5092	java.com	130
PID 220 set thread context of 2328	220	RegSvcs.exe	131

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2124-25-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2124-27-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2124-28-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2124-29-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2124-31-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2908-37-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2908-38-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2908-39-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1824-51-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/1824-52-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4936-56-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4936-57-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4280-64-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4280-65-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4856-75-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4856-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4324-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4324-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3024-96-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/3024-97-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2328-108-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2328-109-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1392	544	WerFault.exe	103
1008	4584	WerFault.exe	111
1052	3152	WerFault.exe	117
3900	2568	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	java.com
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	java.com

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com
3764	java.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	3764	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	2964	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com
Token: SeDebugPrivilege	952	java.com

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3568	RegSvcs.exe
3892	RegSvcs.exe
4728	RegSvcs.exe
4188	RegSvcs.exe
2852	RegSvcs.exe
3624	RegSvcs.exe
220	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3764	3492	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	86
PID 3492 wrote to memory of 3764	3492	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	86
PID 3492 wrote to memory of 3764	3492	ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe	86
PID 3764 wrote to memory of 3568	3764	java.com	88
PID 3764 wrote to memory of 3568	3764	java.com	88
PID 3764 wrote to memory of 3568	3764	java.com	88
PID 3764 wrote to memory of 3568	3764	java.com	88
PID 3764 wrote to memory of 3568	3764	java.com	88
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2124	3568	RegSvcs.exe	89
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3568 wrote to memory of 2908	3568	RegSvcs.exe	90
PID 3764 wrote to memory of 4784	3764	java.com	91
PID 3764 wrote to memory of 4784	3764	java.com	91
PID 3764 wrote to memory of 4784	3764	java.com	91
PID 4784 wrote to memory of 2964	4784	WScript.exe	92
PID 4784 wrote to memory of 2964	4784	WScript.exe	92
PID 4784 wrote to memory of 2964	4784	WScript.exe	92
PID 2964 wrote to memory of 3892	2964	java.com	93
PID 2964 wrote to memory of 3892	2964	java.com	93
PID 2964 wrote to memory of 3892	2964	java.com	93
PID 2964 wrote to memory of 3892	2964	java.com	93
PID 2964 wrote to memory of 3892	2964	java.com	93
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 1824	3892	RegSvcs.exe	94
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 3892 wrote to memory of 4936	3892	RegSvcs.exe	97
PID 2964 wrote to memory of 3172	2964	java.com	98
PID 2964 wrote to memory of 3172	2964	java.com	98
PID 2964 wrote to memory of 3172	2964	java.com	98
PID 3172 wrote to memory of 952	3172	WScript.exe	99
PID 3172 wrote to memory of 952	3172	WScript.exe	99
PID 3172 wrote to memory of 952	3172	WScript.exe	99
PID 952 wrote to memory of 4728	952	java.com	101
PID 952 wrote to memory of 4728	952	java.com	101
PID 952 wrote to memory of 4728	952	java.com	101
PID 952 wrote to memory of 4728	952	java.com	101
PID 952 wrote to memory of 4728	952	java.com	101
PID 4728 wrote to memory of 4280	4728	RegSvcs.exe	102
PID 4728 wrote to memory of 4280	4728	RegSvcs.exe	102

C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba8ce58efa9742a2f5639697449cf1b3394c40bc74dee3235fa81865a8dae2e0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\2j3ttgc8z87nhh\java.com
  "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\Qyvky9J5dN.ini"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\aJ5uAbLu2d.ini"
      4⤵
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      PID:2908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Users\Admin\2j3ttgc8z87nhh\java.com
      "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3892
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Mt4cNtEwLR.ini"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\Vpn149xLz2.ini"
        6⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4936
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\LXQmIwbG1V.ini"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\qJpQPfvxgR.ini"
        8⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 80
        9⤵
        Program crash
        
        PID:1392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4188
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\vWCBo8mTAp.ini"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\kQ26PS7edQ.ini"
        10⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 80
        11⤵
        Program crash
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        11⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\oCFtH26JA7.ini"
        12⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 80
        13⤵
        Program crash
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\wCclJ70NKh.ini"
        12⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        13⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\1rKRCcS4TU.ini"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\0jpkXv7Q7a.ini"
        14⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 144
        15⤵
        Program crash
        
        PID:3900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\2J3TTG~1\run.vbs"
        13⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Users\Admin\2j3ttgc8z87nhh\java.com
        
        "C:\Users\Admin\2j3ttgc8z87nhh\java.com" oGQmSBaRL.VPG
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        15⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:220
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\O7RLmy3IqG.ini"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 544 -ip 544
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4584 -ip 4584
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3152 -ip 3152
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2568 -ip 2568
1⤵
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2J3TTG~1\RnVPBHBJlpC.HSV

Filesize
175B

MD5
8f44d5f1c08fd7351d73a3daca2bbfd0

SHA1
e8e669b9fa500019b7b87fdb363e9036f8417531

SHA256
0a90c52851b8e20c3fb985c7ab763a61b9b94d9423ad893132ec0f794fe6faf1

SHA512
fc610f4be75b452a1e146e8d166f25a8c74402b2abac15206a61c53b1eb2d64eb6dcae56da02388581fbaeac965f9144ff23dcec863415dd5f6eeebb7d7fbca0

Download Submit
C:\Users\Admin\2J3TTG~1\VvpRdmt.LGK

Filesize
260KB

MD5
887bfe186323191177fcc1d92fe45aba

SHA1
07edd3c86a74c0a96d4a715761bd35531d716c92

SHA256
0c0d3f3782b615900301db24caa9351ff7decf3f9ce3eb1577c17dda4ab59d1e

SHA512
d9483090b49afc0ab4ec60aac56500fcb60411759d0b94db199e586b530939891f321390c99efddd518d4b873391e144bcb26deb7ea672aec5f1882ae4d3c2b4

Download Submit
C:\Users\Admin\2J3TTG~1\run.vbs

Filesize
90B

MD5
b67f9f21ffe6ce14e34a3faa763e3d7e

SHA1
283811a92820f5558632e2f7eabf4deb198fd131

SHA256
3baee1be372ff258064ab7fd2f72b7330d933160ad3829bcc51782b9d82a5b0c

SHA512
445e9ab432136848c4df6d085899336e89b171bd0497fe08aac49e955be24807a5497682d97169f2d0d785c5d93d75da338c70fc7657f5775d3efbcc83c70c9e

Download Submit
C:\Users\Admin\2j3ttgc8z87nhh\java.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\2j3ttgc8z87nhh\oGQmSBaRL.VPG

Filesize
30.9MB

MD5
b809efdf2ec2751251cb835183d82bb5

SHA1
32cd37d5bbe861d9d7c7044b98c1c2e9312128f6

SHA256
887b5699fc70c681821d92f2e2937696ce68b98277771e9057320278d24aa931

SHA512
752b1ef10868105741d94c32e8053e6131ee4f3a37feda8453b5fd9e35649fd0f400848cfda665c230d81d7a6141313b6035bc5f46d8086e33cb6ac863e97be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qyvky9J5dN.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/1824-52-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1824-51-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-31-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-109-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2852-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3024-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3568-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3624-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4280-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4728-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4856-75-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4936-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4936-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download